Today, we are releasing security updates for Icinga 2 fixing a critical vulnerability that allowed an attacker to obtain valid certificates from the Icinga CA under certain circumstances. Please note that if Icinga 2 is built with OpenSSL 1.1.0 (released in 2016) or later, it is NOT affected by this issue. This can be checked by running icinga2 --version | grep OpenSSL.
Impact
The VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes.
For this to be exploited, a direct TLS connection to a master capable of signing certificates is required. The bug can also be triggered on other nodes. On these, it only results in an incorrect “Received certificate request for CN ‘[…]’ signed by our CA.” log message before forwarding the request. That forwarded request is then handled correctly by the master and doesn’t trigger the issue.
This only happens with OpenSSL older than version 1.1.0 as it stored a valid flag in the certificate that causes some steps of the verification operation to be skipped. In case this flag is set from a previous operation, this can lead to an incorrect result. The flag in question was removed in OpenSSL 1.1.0, so if Icinga 2 is built with that or a later version, the certificate is always verified completely and the problem doesn’t occur.
Note that for example RHEL 7 and derivatives like Amazon Linux 2 ship OpenSSL 1.0.2, hence Icinga 2 is vulnerable on these platforms.
Patches
The problem has been fixed in the following versions:
Apart from the fix for the aforementioned security issue, the releases include the following additional changes:
- Fix use-after-free in
VerifyCertificate(): Additionally, a use-after-free was found in the same function which is fixed as well, but in case it is triggered, typically only a wrong error code may be shown in a log message. - Windows: Update OpenSSL shipped on Windows to v3.0.16.
- Minor build fixes, these differ between versions, see the individual changelogs linked above.
Users are advised to upgrade Icinga 2 to a fixed version on masters running with OpenSSL 1.0.2 or older immediately.
The source code for the new versions can be found in our Git repository. Updated binary packages are available on packages.icinga.com.
Workarounds
For this to be exploited, a direct TLS connection to a master capable of signing certificates is required, giving two options for a workaround:
- Restrict network access to the masters to only trusted entities.
- Stop the master from signing any new certificates. This can be achieved by renaming the
/var/lib/icinga2/cadirectory. Note that this will prevent you from setting up new nodes as well as prevent existing nodes from renewing their certificates. Certificates are renewed around 30 days before their expiry date, so that’s only a short-term solution as certificates will eventually expire otherwise.
References
- GitHub Security Announcement: GHSA-7vcf-f5v9-3wr6
- Patches (source code): master branch, v2.14.6, v2.13.12, v2.12.12 (requires a second patch as a dependency)
